• CramHacks
  • Posts
  • CramHacks Chronicles #43: Weekly Cybersecurity Newsletter!

CramHacks Chronicles #43: Weekly Cybersecurity Newsletter!

New CVE rules, AI catastrophe, critical CocoaPods flaws, GitLab pipeline bug, OpenSSH vulnerability, unsafe Ruby deserialization, Maven Central bandwidth issues

🥳 Happy Monday! 🥳

This was a busy week for cybersecurity news! Two of my favorite victims are not mentioned in the newsletter (TeamViewer & MoveIT). Check out their latest incidents if you’re interested!

🤔 Want to learn how to write Semgrep rules? Join us on July 30th at 9 AM PT for The Rules! Bring your ideas, and let's make this a collaborative learning experience. https://semgrep.dev/events/the-rules

Table of Contents

General News

Vulnerabilities in CocoaPods Open the Door to Supply Chain Attacks Against Thousands of iOS and MacOS Applications
Three critical vulnerabilities in CocoaPods (CVE-2024-38366, CVE-2024-38367, and CVE-2024-38368) expose iOS and macOS apps to supply chain attacks, allowing attackers to hijack pods, execute code, and gain session tokens.

👋 I would avoid CocoaPods like the plague. These vulnerabilities may have been, or at the very least could have been, used to compromise many of the over 3 Million applications that use software packages from CocoaPods.

Maven Central and the tragedy of the commons
Sonatype’s Brian Fox shares how 83% of Maven Central’s bandwidth is consumed by just 1% of IP addresses, mainly from large companies. Sonatype will be throttling traffic in the coming weeks and recommends using a package registry.

Malware / Exploits

regreSSHion: Remote Unauthenticated Code Execution Vulnerability in OpenSSH server
Qualys discovered a critical remote unauthenticated code execution vulnerability (CVE-2024-6387) in OpenSSH. This flaw allows attackers to execute code as root on glibc-based Linux systems. Over 14 million OpenSSH instances are potentially vulnerable.

Critical GitLab bug lets attackers run pipelines as any user
CVE-2024-5655 allows attackers to run pipelines as other users in versions from 15.8 to 16.11.5, 17.0 to 17.0.3, and 17.1 to 17.1.1. The issue, rated 9.6 CVSS, is fixed in the latest releases. No abuse has been detected on GitLab-managed platforms.

👋 This was reported by HackerOne member ahacker1; they are currently ranked #1 for GitHub’s HackerOne bounty program, and GitHub even wrote a spotlight blog post about them in 2022.

Execute commands by sending JSON? Learn how unsafe deserialization vulnerabilities work in Ruby projects
GitHub’s Peter Stöckli explains unsafe deserialization vulnerabilities in Ruby, focusing on how attackers can execute commands by sending JSON.

Probllama: Ollama Remote Code Execution Vulnerability (CVE-2024-37032) – Overview and Mitigations
Wiz discovered CVE-2024-37032, a critical remote code execution vulnerability in Ollama's AI infrastructure, due to a path traversal flaw. The vulnerable server runs with root privileges for Docker installations, making them a dangerously easy target.

👋 No way, a trivial critical vulnerability in AI infrastructure?!?

rabbit data breach: all r1 responses ever given can be downloaded
On May 16, 2024, the Rabbitude team discovered hardcoded API keys in Rabbit Inc.'s codebase, allowing unauthorized access to read, alter, and delete R1 device responses, change voices, and potentially disable them. These keys affect ElevenLabs, Azure, Yelp, and Google Maps services.

👋 Yet another significant but trivial AI security issue. Hence why, one of my first blog posts was The Bug Bounty Gold Mine: AI/ML third-party packages.

Open Source 

Exploring Memory Safety in Critical Open Source Projects
The CISA report finds that 55% of the total code in these projects is memory-unsafe, with 52% of the projects using memory-unsafe languages.

👋 And to no surprise, projects written in memory-safe languages frequently have direct or transitive dependencies with memory-unsafe code. I don’t love this paper; calling them memory-unsafe languages implies that they’re unsafe to use, and that’s not the case. Also, what was the intended goal? OSS maintainers will not rewrite these projects in rust or similar overnight.

Dev rejects CVE severity, makes his GitHub repo read-only
Fedor Indutny temporarily archived the 'node-ip' GitHub repository, which receives ~17 million weekly downloads, after an assigned CVE caused a flood of contacts. CVE-2023-42282 was assigned a 9.8 CVSS and a critical severity, causing tools like npm audit to flag the issue for users.

👋 GitHub has re-rated the severity for this vulnerability in the GitHub Advisory Database as “Low.” Based on Indutny’s analysis, I agree with the re-assessment.

Vulnerability Management

The CVE program’s new rules: will they affect your vulnerability management?
Written by me! On August 8th, 2024, a new set of rules will apply to the CVE Program. Significant updates include the Right of First Refusal, Technology-neutral Assignments, and Clarity for CVE Assignments.

👋 Sadly, there is still a ton of ambiguity on CVE assignments for upstream projects.

Toward greater transparency: Unveiling Cloud Service CVEs
Microsoft is enhancing transparency by issuing CVEs for critical cloud service vulnerabilities even if no customer action is required, aligning with updated CVE program rules.

Until Next Time! 👋 

Hey, you made it to the bottom – thanks for sticking around!

Questions, ideas, or want to chat? Slide into my inbox! 💌

Don’t hesitate to forward if someone could benefit from this.

See you next Monday!

P.S. CramHacks now has a Supporter tier! You can upgrade here to support CramHacks and its free weekly content 😃.